From 4ca4133aa98edf5438ade15edc3a29856d9f9634 Mon Sep 17 00:00:00 2001 From: Jan Schlosser Date: Fri, 19 Jun 2026 08:59:26 +0200 Subject: [PATCH] Fix false positives in RULE-6-9-2/A3-9-1 for auto-deduced types Variables declared with 'auto' or 'decltype(auto)' should not be flagged when the deduced type resolves through fixed-width typedefs (e.g. uint32_t) to a built-in integer type. The programmer never explicitly wrote a variable-width type name in these cases. This is analogous to the existing template instantiation exclusion (#540). Fixes: #1145 --- .../2026-06-19-fix-fp-rule-6-9-2-auto-deduced.md | 2 ++ .../VariableWidthIntegerTypesUsed.qll | 4 ++++ .../VariableWidthIntegerTypesUsed.expected | 2 ++ .../rules/variablewidthintegertypesused/test.cpp | 12 ++++++++++++ 4 files changed, 20 insertions(+) create mode 100644 change_notes/2026-06-19-fix-fp-rule-6-9-2-auto-deduced.md diff --git a/change_notes/2026-06-19-fix-fp-rule-6-9-2-auto-deduced.md b/change_notes/2026-06-19-fix-fp-rule-6-9-2-auto-deduced.md new file mode 100644 index 0000000000..2bd7e64940 --- /dev/null +++ b/change_notes/2026-06-19-fix-fp-rule-6-9-2-auto-deduced.md @@ -0,0 +1,2 @@ +- `RULE-6-9-2`, `A3-9-1` - `VariableWidthIntegerTypesUsed.qll`: + - Fixed false positives for variables declared with `auto` or `decltype(auto)` where the deduced type resolves through fixed-width typedefs (e.g., `std::uint32_t`) to a built-in integer type. The programmer never wrote a variable-width type name in these cases. diff --git a/cpp/common/src/codingstandards/cpp/rules/variablewidthintegertypesused/VariableWidthIntegerTypesUsed.qll b/cpp/common/src/codingstandards/cpp/rules/variablewidthintegertypesused/VariableWidthIntegerTypesUsed.qll index 047d501a22..022b95d64e 100644 --- a/cpp/common/src/codingstandards/cpp/rules/variablewidthintegertypesused/VariableWidthIntegerTypesUsed.qll +++ b/cpp/common/src/codingstandards/cpp/rules/variablewidthintegertypesused/VariableWidthIntegerTypesUsed.qll @@ -33,6 +33,10 @@ query predicate problems(Element e, string message) { // Fixed Width Types are recorded after stripping their typedef'd type, // thereby, causing false positives (#540). not v.isFromTemplateInstantiation(_) and + // Dont consider variables declared with `auto` or `decltype(auto)` because + // the deduced type may resolve through fixed-width typedefs (e.g. uint32_t) + // to a built-in type, even though the programmer never wrote that type name. + not v.declaredUsingAutoType() and //post-increment/post-decrement operators are required by the standard to have a dummy int parameter not v.(Parameter).getFunction() instanceof PostIncrementOperator and not v.(Parameter).getFunction() instanceof PostDecrementOperator and diff --git a/cpp/common/test/rules/variablewidthintegertypesused/VariableWidthIntegerTypesUsed.expected b/cpp/common/test/rules/variablewidthintegertypesused/VariableWidthIntegerTypesUsed.expected index eab4694e7c..52df0a44db 100644 --- a/cpp/common/test/rules/variablewidthintegertypesused/VariableWidthIntegerTypesUsed.expected +++ b/cpp/common/test/rules/variablewidthintegertypesused/VariableWidthIntegerTypesUsed.expected @@ -50,3 +50,5 @@ | test.cpp:123:6:123:21 | test_long_return | Function 'test_long_return' has variable-width return type. | | test.cpp:126:15:126:39 | test_unsigned_long_return | Function 'test_unsigned_long_return' has variable-width return type. | | test.cpp:129:13:129:35 | test_signed_long_return | Function 'test_signed_long_return' has variable-width return type. | +| test.cpp:160:5:160:11 | get_int | Function 'get_int' has variable-width return type. | +| test.cpp:166:7:166:18 | explicit_int | Variable 'explicit_int' has variable-width type. | diff --git a/cpp/common/test/rules/variablewidthintegertypesused/test.cpp b/cpp/common/test/rules/variablewidthintegertypesused/test.cpp index bee63342e2..9d59e12180 100644 --- a/cpp/common/test/rules/variablewidthintegertypesused/test.cpp +++ b/cpp/common/test/rules/variablewidthintegertypesused/test.cpp @@ -153,3 +153,15 @@ std::uint32_t test_uint32_t_return() { // COMPLIANT std::uint64_t test_uint64_t_return() { // COMPLIANT return 60; } + +// Regression test: auto-deduced types should not be flagged even when +// the deduced type resolves through fixed-width typedefs to a built-in type. +std::uint32_t get_uint32() { return 0; } +int get_int() { return 0; } + +void test_auto_deduced_types() { + auto a1 = get_uint32(); // COMPLIANT - auto deduces through uint32_t + auto a2 = get_int(); // COMPLIANT - auto, programmer didn't write 'int' + const auto a3 = 42U; // COMPLIANT - auto + int explicit_int = 0; // NON_COMPLIANT - explicit variable-width type +}